Privacy Statement

1. Controller

• The data controller is Elevates Digital Services OÜ, registry code 17455911, registered at Harju maakond, Tallinn, Kesklinna linnaosa, Tartu mnt 67/1-13b, 10115, Estonia.
• Contact email for data protection enquiries: Hussein S Mohammedameen, agha@elevates.it & info@elevates.it.
• The Company has assessed its processing activities and determined that the appointment of a Data Protection Officer is not currently required under Article 37 of the GDPR. Data protection enquiries may be directed to the contact details in Section 1.2.

2. Data Collected

• Contact & Professional Data: name, email address, telephone number.
• Technical & Usage Data: IP address, device and browser information, cookies, interaction data, and error logs.
• Marketing Preferences: opt-in status for newsletters and promotional communications.

3. Legal Bases for Processing

The Company processes personal data on the following legal bases pursuant to Article 6 of the GDPR:

• Consent — where the data subject has given explicit consent;
• Contractual necessity — where processing is necessary for the performance of a contract;
• Legitimate interest — for security monitoring, analytics, and service improvement;
• Legal obligation — where processing is required by applicable law.

4. Protection of Minors

• The Company does not intentionally collect or process personal data of individuals under the age of 13.
• For individuals aged 13–17, the processing of personal data requires verifiable guardian consent in accordance with Article 8 of the GDPR and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

5. Use & Sharing of Data

• Personal data is used for: responding to enquiries, delivering consultancy services, performing diagnostics, and improving the Services.
• Data is shared only with:
  • EU-based cloud hosting providers (currently Hostinger);
  • legal or regulatory authorities upon valid legal request;
  • prospective acquirers of the Company or its assets, subject to a non-disclosure agreement.
• The Company does not sell personal data to third parties.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), such transfers shall be subject to EU Standard Contractual Clauses or an adequacy decision by the European Commission, as applicable.

7. Data Retention

Personal data is retained for the following periods:

• Enquiry data: 24 months from the date of the last interaction;
• Contract and invoicing records: 7 years, in accordance with Estonian accounting obligations;
• System and error logs: 12 months;
• Marketing consent records: 3 years from the date of the last opt-in confirmation.

Upon expiry of the applicable retention period, personal data shall be securely erased or anonymised.

8. Security Measures

• The Company shall implement and maintain appropriate technical and organisational security measures to protect personal data, including encryption in transit and at rest, access controls based on the principle of least privilege, and pseudonymisation where appropriate.
• The Company shall conduct Data Protection Impact Assessments where required under Article 35 of the GDPR and periodically review its processing activities to assess risk.

9. Cookies

• The website uses essential cookies required for core site functionality. These do not require consent.
• Prior to the deployment of any non-essential cookies, the Company shall implement a compliant cookie consent mechanism in accordance with the ePrivacy Directive (2002/58/EC) and applicable national transposition.

10. Data Subject Rights

Pursuant to the GDPR, data subjects are entitled to the following rights: access, rectification, erasure, restriction of processing, objection, data portability, and the right to withdraw consent at any time without affecting the lawfulness of processing conducted prior to such withdrawal.

• Requests may be submitted to: agha@elevates.it or info@elevates.it. The Company shall provide a formal response to all valid requests within a period of thirty (30) days from the date of receipt.
• The lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, "AKI"). Data subjects may lodge a complaint with the AKI or, alternatively, with the supervisory authority in their Member State of habitual residence or place of work, in accordance with Article 77 of the GDPR.

11. Changes to This Privacy Statement

Material changes to this Privacy Statement shall be communicated by means of a prominent banner notice on the website and a revised version date. Where required by law, consent shall be re-obtained.